username and password authorization method

Bug #727879 reported by Raimon Esteve (
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Won't Fix

Bug Description

If use a authorization method, don't check user and return Anonymous user

For example:
proxy = xmlrpclib.ServerProxy("http://prova:prova@localhost:8443/xmlrpc") #rpc4django

in rpc4django getattr(request, 'user', None) return always Anonymous

One solution is next code: validate username and password URI

    response = True

    user = getattr(request, 'user', None)
    if 'HTTP_AUTHORIZATION' in request.META:
        auth = request.META['HTTP_AUTHORIZATION'].split()
        if not len(auth) == 2:
            logging.debug('HTTP Authorization is NOT authorized')
            response = False
        if not auth[0].lower() == "basic":
            logging.debug('HTTP Authorization is NOT authorized')
            response = False

        uname, passwd = base64.b64decode(auth[1]).split(':')
        user = authenticate(username=uname,password=passwd)

davidfischer (djfische)
Changed in rpc4django:
assignee: nobody → davidfischer (djfische)
Revision history for this message
davidfischer (djfische) wrote :

This is by design.

When using authentication, you must either setup your webserver to use HTTP basic authentication or you must use the out of the box authentication. See the docs ( for details.

When using HTTP authentication, you should be using the RemoteUserMiddleware to do the password checking automatically. If using the out of the box authentication, you should use the system.login() method.

Changed in rpc4django:
status: New → Won't Fix
Revision history for this message
davidfischer (djfische) wrote :

If you want to see this in action, you can visit:
There are two logins:
 - user: rpcnoauth with password: rpcnoauth - this user cannot call the secret method
 - user: rpc4django with password: rpc4django - this user can call the secret method

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.